At Redcentric we’ve a long history of doing business with the public sector, and like anyone else working within this sector we’re well aware of the Government’s Business Impact Levels (BILs). These security controls require the measurement of all goods, services and activities to be rated against the likely impact of that service being compromised or unavailable. Anyone that transits, stores or processes data for HM Government is required to adhere to BILs.
Prior to April this year, BILs were defined in seven different levels from 0 up to 6. At the most basic level was 0, which meant that services, activities or products were not considered to need protecting. In other words, the impact of the loss of service, or in our case data, was minimal. As you moved up the levels, the security restrictions increased incrementally – from ‘unprotected’ to ‘restricted’ to ‘secret’ until you reached the highest level. Level 6 is rated as top secret and then there was Special Customer Record (SCR) or Special Access (SA) level that protected data on individuals of special interest – think the Queen.
The problem with the ratings being set this way was two fold. Firstly, most users tended to over-rate the impact of their data. It was a relatively frequent occurrence to hear a department head or ICT manager define their data as top secret, when in reality a restricted rating was more than acceptable. And of course the higher the security required for storing data, the higher the costs of doing so.
On the other hand, as a provider of ICT services you were often housing data from different departments with different BIL ratings. As the volume of the data increased through the concept of aggregation, the BIL also increased and soon you also have to reclassify previously low rated BIL data to a higher level – once again increasing costs.
To overcome these two problems, the Government recently redefined the BIL protected marking scheme and there are now just three levels:
- Official – this incorporates the BILs 0-3 and adds a further level known as official sensitive that is comparable to BIL 4
- Secret – equivalent to BIL 5 and a big jump from the previous marking
- Top secret – considered to be equivalent to BIL 6
By consolidating the number of markings and making the gap between each of them wider, suppliers are no longer subject to the issue of aggregation of volume of data versus quality of data being secured. The new markings have also gone a long way in simplifying security assurance processes, making projects more accessible to potential providers who were previously put off bidding for work by its complexity. Perhaps the biggest impact of the change to the scheme is that it has helped to lower the barrier to entry for some SME providers who are able to meet the ‘official’ level but not the secret or top secret level.
While the Government hasn’t required all old data to be reclassified under the new system, it has enforced the new protected marking scheme and new services will need to be compliant. This significant step change in information assurance and security will help continue to move the Government and its data into the digital service delivery era it has wholeheartedly signed up for.